IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing

Jiongyi Chen1, Wenrui Diao2, Qingchuan Zhao3, Chaoshun Zuo3, Zhiqiang Lin3,4, XiaoFeng Wang5,

Wing Cheong Lau1, Menghan Sun1, Rongai Yang1, and Kehuan Zhang1

Chinese University of Hong Kong1, Jinan University2, University of Texas at Dallas3, Ohio State University4, Indiana University Bloomington5

NDSS2018

PresentedByMdMahbuburRahman

WayneStateUniversity

Outline

•  IoTTrend•  Motivation•  IoTFuzzer(Thispaper)•  Challenges•  Architecture:IoTFuzzer•  ImplementationandEvaluation•  Conclusion

2

Internet of Things (IoT) Market

•  Applications•  SmartHome,SmartCity,AgriculturalIoT,etc.

•  Marketgrowthby2020•  20.4billionIoTdevices•  $3trillion

•  SmartHome•  $53.45billionby2022

SmartHomemarketvalue(Source:ZionResearchAnalysis2017)

3

Is IoT Secure?

•  NOTreally!

•  Attacks:2014-2016•  Morethan90independentIoTattacks[N.Zhangetal.,CoRR2017]

•  MiraibotnetattackonOct12,2016•  OnlineIoTdevices(e.g.,IPcameras,homerouters,etc.)areturnedintobots•  DistributedDenial-of-service(DDoS)attacksononlineservices

•  Reaperbotnetattack

FirmwaresoftheIoTdevicesarenotproperlyimplemented&

protected!!

4

What’s Done!

•  Fewattemptshavebeenmadethatcloselydealwithfirmwares.[Davidsonetal.USENIXSec.’13,Cuietal.NDSS’13,ChenBlackHat’09,Shoshitaishvilietal.NDSS’15]

•  Limitations•  Firmwareacquisition:vendorsmaynotmakeitpublic

•  Firmwareidentification&unpacking:unknownarchitecture,proprietarycompression/encryption

•  Executableanalysis:requireslotsofmanualeffortsandisnotaccurate

5

ItisworthlookingintotheIoTofficialapplications

IoT Official Application

•  ControlsandmanagesIoTapplications

6

ContainsrichinformationabouttheIoTsystem

Courtesy:Authors

IoTFuzzer: A Firmware-free Fuzzing Framework

•  DetectsmemorycorruptionsinIoTdevices•  Null-pointerexceptions,bufferoverflow,out-of-boundaccesses,etc.

•  Leveragesofficialappsandprogramlogicstocreatemeaningfultestmessages

•  Fuzzesinaprotocol-guidedwaywithoutexplicitlyreverseengineeringtheprotocols

7

IoTFuzzer: Challenges

•  Diversedataformatsandprotocols•  XML,JSON,key-valuepairs

•  Proprietarycryptographicfunctions

•  Crashmonitoring•  Howtodeterminethereal-timestatusofthedevice?

8

TP-LinkKasaCodeSnippet

IoTFuzzer: Solutions

•  Diversedataformatsandprotocols•  Mutateprotocolfieldsbeforetheyareconstructedasmessage

•  Proprietarycryptographicfunctions•  Reusecryptographicfunctionsintheruntime

•  Crashmonitoring•  Insertheartbeatmessages

9

IoTFuzzer: Scope and Assumptions

•  Goal:Automaticallygenerateprotocol-awaremessagestotheIoTdevicestodiscovermemorycorruptions

•  Assumptions•  IoTdeviceundertestingareconfigurableandcontrollablewithmobileapps•  Wi-Ficommunicationprotocol•  Androidapps

10

IoTFuzzer: Architecture

•  2-phasearchitecture

•  Phase1:•  Appanalysis

11

IoTFuzzer: Architecture

•  2-phasearchitecture

•  Phase1:•  Appanalysis

•  Phase2:•  Fuzzing

12

IoTFuzzer: Architecture – Phase 1

q UIAnalysis•  CallPathConstruction

•  IdentifynetworkingUIelementsbyconstructingcallpathsfromnetworkingAPIstoUIeventhandlers

•  NetworkingAPIs:URL.openConnection(),Socket.getOutputStream(),etc•  Androguard[1]

•  ActivityTransitionGraphConstruction•  TotriggernetworkingAPIevents•  Monkeyrunner[2]

13

1.  “Androguard:Reverseengineering,MalwareandgoodwareanalysisofAndroidapplications,”https://github.com/androguard/androguard2.“monkeyrunner,”https://developer.android.com/studio/test/monkeyrunner/index.html

IoTFuzzer: Architecture – Phase 1

•  TaintAnalysis•  Identifyprotocolfields(variables)andfunctions•  TaintDroid[W.Encketal.TOCS’14]

•  TaintSources:strings,systemAPIs,userinputs

•  TaintSinks:datausedatnetworkingAPIsandencryptionfunctions

•  CryptographicFunctionIdentification•  Lotsofrelatedwork•  IoTFuzzeremploysalightweighttechnique•  Cryptographicfunctionscontainarithmeticoperationsandcalledduringthemessagedeliveryexecution

14

IoTFuzzer: Architecture – Phase 1

15

Codeexample

TaintTrackingOutput

IoTFuzzer: Architecture – Phase 2

q RuntimeMutation•  FunctionHooking

•  Dynamicallyhookstherecordedfunctionsandmutatetheprotocolfieldsatruntimetogenerateprobemessages

•  Xposed[3]

•  FuzzingScheduling:tofuzzonlyasubsetofallprotocolfields

•  FuzzingPolicy:•  Changethelengthofthestringstocheckoverflowandout-of-boundaccess•  Changeinteger,double,orfloat(largevalues)tocheckoverflowandout-of-boundaccess•  Changeobjecttypesandprovideemptyvaluestocheckmisinterpretationandnull-pointerexepction

161.  Rovo89,“XposedModuleRepository,”http://repo.xposed.info/

IoTFuzzer: Architecture – Phase 2

q Responsemonitoring•  ResponseTypes

•  Expectedresponse•  Unexpectedresponse•  Noresponse•  Disconnection

•  CrashDetection•  TCP-basedconnection:disconnection•  UDP-basedconnection:insertaheartbeatmessageafterevery10probemessages

17

Implementation

•  Implementedon17off-the-shelfIoTdevices(appsareavailableonGooglePlay)

18

Evaluation

•  TestingEnvironment•  UIAnalysis:Ubuntu14-04IntelCorei7quad-core2.81GHzCPU8GBRAM•  TaintTracking:Google’sNexus4•  Network:FullycontrolledlocalWi-Fi

•  15memorycorruptionswerefoundincluding8previouslyunknown

19

Evaluation

•  Fuzzingaccuracy

20

Conclusion

•  IoTFuzzer:Limitations•  OnlysupportWi-Ficonnections•  Canonlyfuzzapp-relatedcodeinIoTdevices•  Onlydetectsmemoryrelatedcorruptionsthatleadtocrashes

21

Questions?

22